Thieves got into StubHub accounts for $1.6M payday

NEW YORK (AP) — Some of the hottest tickets in town — to Broadway hits, Jay-Z and Justin Timberlake concerts, a New York Yankees-Boston Red Sox game — were snapped up by an international ring of cyber thieves who commandeered more than 1,000 StubHub users’ accounts to make big money by fraudulently buying tickets and reselling them, prosecutors said Wednesday.

Ten people around the world have been indicted or arrested in connection with the case, which involved more than 3,500 tickets and at least $1.6 million in unauthorized purchases of sought-after seats, some to sold-out shows or behind the Yankee Stadium dugout, Manhattan District Attorney Cyrus R. Vance Jr. said.

“Today’s arrests and indictment connect a global network of hackers, identity thieves and money-launderers” who targeted the leading digital marketplace for reselling event tickets, Vance said. The scheme spooled from Russia to London to Toronto to the New York area and even to Barcelona, Spain, where accused Russian ringleader Vadim Polyakov was arrested while vacationing earlier this month.

The case comes amid growing concern about data thieves targeting consumer giants, and it pointed up pitfalls customers may face in using one password in multiple parts of their online lives.

StubHub said it was alerted to “a small number of accounts that had been illegally taken over by fraudsters” last year, contacted authorities and gave the affected customers refunds.

While prosecutors said they weren’t certain how the alleged thieves got access, San Francisco-based StubHub said they got account-holders’ login and password information from key-loggers or other malware on the customers’ computers or from data breaches at other businesses. San Francisco-based StubHub, owned by eBay Inc., said there had been “no intrusions into StubHub technical or financial systems.”

In the last few years, such major companies as Target, LinkedIn, eBay and Neiman Marcus have been hacked. Since many customers use the same email and password on multiple websites, thieves can net a combination from one site that works in many others, data security experts say.

It’s like re-using “the same key for every lock in your life — especially if you’re giving that key out to everyone you meet,” says Joe Siegrist, the CEO of LastPass, which makes password-management software.

In the StubHub case, once the suspects had those digital keys, they were able to use the credit-card and other information stored in unsuspecting users’ accounts to buy tickets — some as pricey as a $994 pair of field-level seats to a St. Louis Rams-Houston Texans game, prosecutors said.

Buyers can download tickets directly to their StubHub accounts. Account-holders do get emails confirming their purchase; in some cases, those emails prompted customers to contact StubHub and report fraudulent buys, company spokesman Glenn Lehrman said.

After the buys, members of the ring re-sold the tickets and routed the money to others who laundered it, and the group split the profits, Vance said.

“This guy (Polyakov) is pretty much admitting he is a hacker,” one of the alleged fences, Daniel Petryszyn, wrote in an online chat, according to prosecutors. “These tickets are all profits ... I will launder all the money they want.”

Petryszyn, 28, and another accused re-seller, Bryan Caputo, 29, pleaded not guilty Wednesday to money laundering and stolen property possession charges. Petryszyn, who works at a catering business, “has every intention of challenging these charges,” said his lawyer, Liam Malanaphy.

Caputo, who works at a restaurant company, simply re-sold some tickets, said his lawyer, Reginald Sharpe. “If they were stolen, he didn’t know that they were,” Sharpe said.

Polyakov, 30, was awaiting extradition, and it wasn’t immediately clear whether he had a lawyer. Three other men indicted in the Manhattan case hadn’t yet been arrested; two are in Russia. Meanwhile, authorities have arrested three suspected money-launderers in London and one in Toronto on local charges there.